USING NAGIOS FOR INTRUSION DETEC

USING NAGIOS FOR INTRUSION DETECTION
a e ı
M. C´ rdenas Montes, E. P´ rez Calle, F.J. Rodr´guez Calonge, CIEMAT, Madrid, Spain
Abstract logﬁle and strange packets on the network. Our aim has
been the study, evaluation and implantation of a HIDS
Implementing strategies for secured access to widely ac-
based on Open Source software. A system based on
cessible clusters is a basic requirement of these services,
technologies like Nagios, SNMP, Tripwire and Chkrootkit
in particular if GRID integration is sought for. This is-
has been implanted in the CIEMAT, in the University of
sue has two complementary lines to be considered: security
o
Bacelona (UB) and in the University Aut´ noma of Madrid
perimeter and intrusion detection systems. In this paper we
(UAM).
address aspects of the second one.
Compared to classical intrusion detection mechanisms,
close monitoring of computer services can substantially NAGIOS
help to detect intrusion signs. Having alarms indicating the Nagios is a system designed for the monitoring of com-
presence of an intrusion into the system, allows system ad- puters, detection of failures in services and sending no-
ministrators to take fast actions to minimize damages and tiﬁcation out to administrative contacts. Nagios is not
stop diffusion towards other critical systems. speciﬁcally an IDS. On the other hand, Nagios possesses
One possible monitoring tool is Nagios a friendly interface, is easy to use, very ﬂexible and it is
(www.nagios.org), a powerful GNU tool with capac- endowed a system of sending alerts.
ity to observe and collect information about a variety of Nagios has a modular design with a web interface and a
services, and trigger alerts. set of plugins to check the different services. To point up
In this paper we present the work done at CIEMAT, his ability to support consultations on the protocol SNMP.
where we have applied these directives to our local cluster. It can use the check snmp plugin to check the value of the
We have implemented a system to monitor the hardware various OIDs that the administrator is interested in. For
and system sensitive information. We describe the process this is compulsory that SNMP services are running on the
and show through different simulated security threads how remote host.
does our implementation respond to it. There is another way to check local o private services, it
is use check by ssh. Check by ssh is a plugin to execute a
INTRODUCTION script on a remote host using the SSH protocol. Any script
it want to execute on the remore host have to be installed
The construction of the infrastructure necessary for the on the remote hosts beforehand.
system GRID presents new and interesting challenges. A
fundamental aspect to be able to reach the marked aims will
be the implantation of an effective system of security. To
What do we monitor?
avoid that the GRID is used by not authorized persons, it As soon as an intruder gains access to a system across
will provide conﬁdence to the investigators in his use. In a vulnerability, it is frequent that he realizes the necessary
addition, it is indispensable to prevent that the system is actions to conceal his presence and to create a privileged
used to realize attacks against other systems. access. These actions can be realized by the installation
In this context, the intrusion detection systems (IDS) ac- of a rootkit or manually. In this case, usually the intruder
quires special importance. The intrusion detection systems creates an user with privileges of superuser. To detect this
allow to detect the intruders’ presence in the system as soon action has been created a script to notify the number of
as possible. This quick detection will minimize the dam- users with uid=0 (superuser privileges), sending a alert if
ages produced in the system and avoiding that the platform this number is bigger than 1.
is used for further attacks to other systems. There are two Less frequent is that the intruder creates a user without
types of IDS, host intrusion detections systems (HIDS) and password. To detect this anomaly another script has been
network intrusion detections systems (NIDS). A NIDS is a created.
intrusion detection device, which looks at network trafﬁc As soon as the intruder has gained a privileged access
and tries to detect intrusion attempts based on patterns and to the system, he will try to capture information of other
speciﬁc packets. A HIDS is a intrusion detection device, computers on the same network (specially users and pass-
which seeks for unauthorized changes in ﬁles. words). This task will be executed by a sniffer installed by
There are basically three ways to detect intruders on a the intruder. The activation of the sniffer will mean that the
system: changes in the ﬁlesystem, strange entries in the network interface will be put into promiscuous mode. A
Figure 1: View of Nagios main screen.
script to detect the promiscuous mode in the network inter- ecution of the sniffer installed by the intruder. Or in case of
face, also has been created. ifconﬁg, it will hide that the network interface is in promis-
Files used by the intruder (binaries of sniffer, conﬁgu- cuous mode. It is in the detection of these alterations of
ration ﬁles, information captured ﬁles) are usually hidden ﬁles where the use of tripwire turns out to be strategic. Fi-
in /dev the directory. Another script has been created to nally, if the binary ls is altered it will not show the directory
ensure that no regular ﬁles have been hidden there. where the intruder have installed their ﬁles.
These four scripts are executed using the plugin Tripwire is an intrusion detection tool able to detect and
check by ssh. The information gathered by the plugin is pinpoint changes to ﬁles. In the Open Source version, Trip-
sent to the Nagios monitor. With this set of scripts the suf- wire is a command-line tool. On Unix systems, Tripwire is
ﬁcient information is covered as to detect quickly the pres- able to detect changes affecting the following properties:
ence of an intruder, so much if he realizes actions to conceal
• File additions, deletes and modiﬁcations.
his presence as if not. If an intruder change the ifconﬁg bi-
• File permissions and properties.
nary for other one that does not show that the interface is
• Inode number and number of links.
in promiscuous mode, then will not be possible to detect
• User id of owner and group id of owner.
with this command if the interface is in this mode. So it is
• File type and size.
necessary to prevent that our binaries being replaced into
• Device number of the disk on which the inode associ-
others trojanized.
ated with the ﬁle is stored.
The detection of rootkits and trojans is an aspect not cov-
• Device number of the device to which the inode
ered by these scripts.
points.
• Number of blocks allocated to a ﬁle.
TRIPWIRE AND NAGIOS • Modiﬁcation, access and creation timestamp.
• Inode creation and modiﬁcacion timestamp.
A knowledgeable malicious user will try to modify cer-
• Hash checking: RSA, MD5, MD4, MD2, SHA and
tain binaries of the system. Some of those binaries it will be
Haval code.
ifconﬁg, ls, ﬁnd, netstat, ps, top... Those binaries modiﬁed
conceal the signs of presence of the intruder. To detect these changes, tripwire establishes a ciphered
For example, the binary ps modiﬁed will conceal the ex- database of monitored ﬁles. Periodically the consistency
Figure 2: View of a computer services state screen.
of ﬁles is checked against the reference information in the is checked by SNMP request against information resident
database. A report is created with the more relevant infor- in a central platform.
mation. It is necessary to incorporate the own binaries of
Tripwire to the database for assure the self-integrity. What do we monitor?
Using the Tripwire database, the administrators can
To analyze routinely the consistency between the mon-
check all the critical ﬁles for tampering. Now, how do
itored ﬁles and the stored information in the base of in-
you know if someone has tampered with yours Tripwire
formation, a script has been created that is thrown for Na-
binaries or Tripwire database? After all, if the intruder can
gios. This script initiates the execution of triwpire, ana-
modify the Tripwire database, any changes could not be
lyzes the generated report, and sends the resultant informa-
detected.
tion to agios. Based in this information Nagios generates
Several different methods exist. The easiest one is to the necessary alerts.
place Tripwire database on a read-only ﬂoppy disk. Since In order to avoid that the execution of tripwire monopo-
most Linux machines have a ﬂoppy drive and few are in lizes too many resources, the checking has been restricted
use all the time, it’s a good match. Other possible schemes to a few binary of the system. These binaries have been
include: remote mounting the Tripwire database from an- chosen for being the principal targets of the intruders: ls,
other more secure machine read-only (for exemple NFS ps, top, netstat, su, ﬁnd, ...
read-only mount it from a remote, more secure machine This script is executed by check by ssh, as the four pre-
with a ﬂoppy), putting it on a write-protected Zip disk, or vious scripts.
even getting an old, small hard drive that has been jumpered With the use of Tripwire, an intruder will not be able to
to hardware enable read-only and put it on that. The idea change the monitored binaries. The attacker cannot to hide
is to put it on some media that you can make read-only in his presence with modiﬁed binaries.
hardware. It does you no good to place Tripwire database
where an intruder can mess with it.
CHKROOTKIT AND NAGIOS
At CIEMAT and the other institutes, we have chosen a
different strategy. A checksum of database ﬁle is executed, With the popularization of the automated tools of assault,
and this information is inserted in the MIB tree. The hash gaining privileged accesses and to conceal them has be-
come an extremely simple task. After the phase of explo- REFERENCES
ration and the phase of obtaining a privileged access, the
e ¸
[1] N. Murillo and K. Steding-Jessen, “M´ todos Para Deteccao
worry of the intruder centres on the installation of a rootkit o
Local De Rootkits E M´ dulos De Kernel Maliciosos Em Sis-
that conceals his presence and supports the obtained privi- o ¸
temas Unix”, Anais do III Simp´ sio sobre Seguranca em In-
leges. a a e
form´ tica (SSI’2001), (S˜ o Jos´ dos Campos, SP), pp. 133–
Chkrootkit is a command line tool that detects the pres- 139, Outubro de 2001.
ence of rootkits. It uses different methods: [2] “Know Your Enemy: III, They Gain Root”, The Honeynet
Project, http://www.honeynet.org/papers/enemy3/, March
• Checking the promiscuous mode in network inter- 2000.
faces.
[3] “Know Your Enemy: II, Tracking The
• Existence of differences between the processes run-
Blackhat’s moves”, The Honeynet Project,
ning in the system according to the command ps and
http://www.honeynet.org/papers/enemy2/, March 2001.
the information of /proc.
• Elimination of entries in the ﬁle wtmp, where the login [4] “Know Your Enemy: A Forensic Analysis”, The Hon-
eynet Project, http://www.honeynet.org/papers/forensics/,
records are stored.
May 2000.
• Checking the opened connections.
• Checking the ﬁngerprints of known rootkits. [5] Daniel J. Barrett, Robert G. Byrnes and Richard Silverman,
“Linux Secutiry Cookbook”, O’Reilly, June 2003.
Chkrootkit uses some system’s binaries for detect rootk- a
[6] Reto de An´ lisis Forense. Rediris.
its. So Chkrootkit will be trusted if those binaries are http://www.rediris.es/cert/ped/reto/index.ex.html
trusted. The main group of these binaries are monitored e a ı
[7] E. P´ rez Calle, M. C´ rdenas Montes, F.J. Rodr´guez Ca-
by Tripwire alread. So the responsibility is translated to longe, “Using Tripwire to check cluster system integrity”,
Tripwire. CHEP’04, Interlaken, September 2004.
[8] Tripwire project.
What do we monitor? http://www.tripwire.org
In the integration of chkrootkit with Nagios a different [9] Tripwire commercial page.
strategy has been followed that the one used with tripwire. http://www.tripwire.com
There has been created a script that is executed for snmpd [10] Chkrootkit.
(Simple Network Management Protocol Daemon) and that http://www.chkrootkit.org
inserts state information in the tree MIB. This informa- [11] Nagios monitoring tool.
tion is gathered by a consultation SNMP. This consultation http://www.nagios.org/
SNMP is implemented in Nagios using his proper check,
check snmp.
This strategy has been motivated in the long time of ex-
ecution that uses the test of chkrootkit. The consultation
snmpd of Nagios is implemented across a check for consul-
tations SNMP. In this check, it is only necessary to specify
the Object Identiﬁcator (OID), the machine target, and the
name of the community.
The use of Chkrootkit allows to detect the most modern,
sophistacated and popular systems of instruders’ conceal-
ment. Together with Tripwire and the scripts created by
authors, Chkrootkit establishes a HIDS capable of recog-
nizing the subtlest signs of instruders’ presence.
CONCLUSION
The implantation of a HIDS system formed by several
GNU technologies is possible. In the facilities imple-
mented at Ciemat, UAM and UB we monitor to the detail
the computing nodes, being capable of detecting the pres-
ence of an intruder from his initial steps. This model has
proved to be highly effective in the simulated assaults car-
ried out by the authors. Likewise it is of great help for
the administrators since the examination periodic and auto-
mated with these tools, it allows to save time in the security
tasks.